feat(observability): surface effective agent model in /status skill

.github/workflows/ci.yml

@@ -15,6 +15,16 @@ jobs:
           cache: npm
       - run: npm ci
 
+      # Install agent-runner deps so its src/**/*.test.ts files (which
+      # vitest now picks up — see vitest.config.ts) can import their
+      # transitive deps (@anthropic-ai SDK types, nodemailer for MIME).
+      # The agent-runner has its own package.json because it's also
+      # installed standalone inside the container image at build time;
+      # root doesn't carry those deps.
+      - name: Install agent-runner deps
+        run: npm ci
+        working-directory: container/agent-runner
+
       - name: Format check
         run: npm run format:check
 

CHANGELOG.md

@@ -4,6 +4,11 @@ All notable changes to NanoClaw will be documented in this file.
 
 For detailed release notes, see the [full changelog on the documentation site](https://docs.nanoclaw.dev/changelog).
 
+## [Unreleased]
+
+- New canonical writable per-group state mount at `/workspace/state/` — sourced from `data/state/<folder>/` on the host and mounted into every container regardless of trust tier (ported from jbaruch/nanoclaw#220, addressing #99 Cat 4). Gives every tier a single canonical writable location for skills that persist state across runs, replacing per-skill workarounds. Per-group scoping (not per-session) so a scheduled task and a user-facing turn in the same group can read each other's state.
+- Heartbeat now uses the precheck-gate `script` field — the non-main heartbeat task runs `unanswered-precheck.py` first, and the agent only wakes when the precheck reports new candidates (or errors). Closes part of #62 (heartbeat container spawns running 0 queries) by skipping spawn entirely when there is nothing to do. A one-shot startup migration backfills the `script` column on existing `heartbeat-*` rows so deployed installs pick up the gate without manual DB edits.
+
 ## [1.2.36] - 2026-03-26
 
 - [BREAKING] Replaced pino logger with built-in logger. WhatsApp users must re-merge the WhatsApp fork to pick up the Baileys logger compatibility fix: `git fetch whatsapp main && git merge whatsapp/main`. If the `whatsapp` remote is not configured: `git remote add whatsapp https://github.com/qwibitai/nanoclaw-whatsapp.git`.

CLAUDE.md

@@ -23,7 +23,7 @@ Single Node.js process with skill-based channel system. Channels (WhatsApp, Tele
 
 ## Secrets / Credentials / Proxy (OneCLI)
 
-API keys, secret keys, OAuth tokens, and auth credentials are managed by the OneCLI gateway — which handles secret injection into containers at request time, so no keys or tokens are ever passed to containers directly. Run `onecli --help`.
+Most API keys, OAuth tokens, and auth credentials are managed by the OneCLI gateway — secrets are injected at request time so no value is passed to containers directly. **Exception:** main/trusted-tier containers receive `GITHUB_TOKEN` directly via the env-file mechanism (`SECRET_CONTAINER_VARS` in `src/container-runner.ts`). The token is a scoped fine-grained PAT — no admin, no branch-protection bypass — so the bot can `git push`/`pull` and call the GitHub REST API without OneCLI's HTTPS rewrite. Untrusted-tier containers receive nothing. Run `onecli --help`.
 
 ## Skills
 

container/Dockerfile

@@ -26,6 +26,19 @@ RUN apt-get update && apt-get install -y \
     poppler-utils \
     && rm -rf /var/lib/apt/lists/*
 
+# Install gh CLI from GitHub's official apt repo. Picks up GITHUB_TOKEN
+# from env automatically — wired via SECRET_CONTAINER_VARS env-file
+# (PR #32) for main/trusted tier; untrusted gets nothing and gh fails
+# closed with an auth error rather than silently using a stale token.
+RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+    | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+       > /etc/apt/sources.list.d/github-cli.list \
+    && apt-get update \
+    && apt-get install -y gh \
+    && rm -rf /var/lib/apt/lists/*
+
 # Set Chromium path for agent-browser
 ENV AGENT_BROWSER_EXECUTABLE_PATH=/usr/bin/chromium
 ENV PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium
@@ -73,6 +86,14 @@ RUN git config --global pack.threads 1 && \
     git config --global pack.deltaCacheSize 1m && \
     git config --global pack.windowMemory 100m
 
+# Git credential helper — uses $GITHUB_TOKEN env var at request time so
+# `git fetch/pull/push` over HTTPS works directly. The token is injected
+# via --env-file at container spawn (see SECRET_CONTAINER_VARS in the
+# orchestrator). Only main/trusted tier containers receive the token;
+# untrusted-tier containers will see this helper return empty creds and
+# get the same authentication failure they get today.
+RUN git config --system credential.helper '!f() { echo username=x-access-token; echo "password=$GITHUB_TOKEN"; }; f'
+
 
 # Run as non-root node user (uid 1000) by default.
 # The orchestrator may override with --user for non-main groups.

container/agent-runner/package.json

@@ -12,10 +12,12 @@
     "@anthropic-ai/claude-agent-sdk": "^0.2.112",
     "@modelcontextprotocol/sdk": "^1.12.1",
     "cron-parser": "^5.0.0",
+    "nodemailer": "^6.10.1",
     "zod": "^4.0.0"
   },
   "devDependencies": {
     "@types/node": "^22.10.7",
+    "@types/nodemailer": "^6.4.23",
     "typescript": "^5.7.3"
   }
 }

container/agent-runner/src/index.thinking-only.test.ts

@@ -0,0 +1,54 @@
+import { describe, it, expect } from 'vitest';
+import { isThinkingOnlyEndTurn } from './index.js';
+
+describe('isThinkingOnlyEndTurn — pseudo-turn detection', () => {
+  it('detects a turn that is only thinking + end_turn', () => {
+    expect(isThinkingOnlyEndTurn('end_turn', ['thinking'])).toBe(true);
+  });
+
+  it('detects multiple thinking blocks + end_turn', () => {
+    expect(isThinkingOnlyEndTurn('end_turn', ['thinking', 'thinking'])).toBe(
+      true,
+    );
+  });
+
+  it('detects redacted_thinking blocks alongside thinking', () => {
+    expect(
+      isThinkingOnlyEndTurn('end_turn', ['thinking', 'redacted_thinking']),
+    ).toBe(true);
+  });
+
+  it('detects only-redacted_thinking + end_turn', () => {
+    expect(isThinkingOnlyEndTurn('end_turn', ['redacted_thinking'])).toBe(true);
+  });
+
+  it('does NOT trigger when stop_reason is not end_turn', () => {
+    expect(isThinkingOnlyEndTurn('tool_use', ['thinking'])).toBe(false);
+    expect(isThinkingOnlyEndTurn('max_tokens', ['thinking'])).toBe(false);
+    expect(isThinkingOnlyEndTurn(undefined, ['thinking'])).toBe(false);
+  });
+
+  it('does NOT trigger when text blocks are present', () => {
+    expect(isThinkingOnlyEndTurn('end_turn', ['thinking', 'text'])).toBe(false);
+    expect(isThinkingOnlyEndTurn('end_turn', ['text'])).toBe(false);
+  });
+
+  it('does NOT trigger when tool_use blocks are present', () => {
+    expect(isThinkingOnlyEndTurn('end_turn', ['thinking', 'tool_use'])).toBe(
+      false,
+    );
+  });
+
+  it('does NOT trigger on an empty block list (defensive)', () => {
+    // A turn with zero content blocks is an SDK-shape edge case during
+    // certain error paths — explicitly NOT the "model decided to say
+    // nothing" pseudo-turn we're targeting. Falling back to a previous
+    // turn there would be an over-reach.
+    expect(isThinkingOnlyEndTurn('end_turn', [])).toBe(false);
+  });
+
+  it('readonly array argument is accepted', () => {
+    const blocks: readonly string[] = ['thinking'];
+    expect(isThinkingOnlyEndTurn('end_turn', blocks)).toBe(true);
+  });
+});